Connecting to Hive with DBeaver using Kerberos Authentication

0) Install DBeaver

You can find installation instructions here

1) Download the latest drivers

You can find the latest drivers on the Cloudera website

2) Create a folder to store the drivers

mkdir ~/.dbeaver-drivers/cloudera-hive/

3) Extract driver jars and move to the folder we made earlier

jars_in_folder

4) Create a New Driver in DBeaver

  1. Navigate to Database > Driver Manager > New
  2. Add all the files from ~/.dbeaver-drivers/cloudera-hive/
  3. Driver name: Hive-Cloudera (for labeling only)
  4. Class name: com.cloudera.hive.jdbc41.HS2Driver (at the time of this writing)
  5. Default port: 10000
  6. URL template: jdbc:hive2://{host}:{port}/{database};AuthMech=1;KrbRealm=FOO.BAR;KrbHostFQDN={server}; KrbServiceName=hive;KrbAuthType=2
    • Note you need to change FOO.BAR to match your krb5.conf settings

5) Create a New Connection

  1. In the menu bar Navigate to Database > New Connection
  2. Select Hive-Cloudera
  3. Fill in the appropriate values for host & database (I set database to default)
  4. Set server to be your KrbHostFQDN
  5. Leave your user name & password blank
  6. Test connection
  7. Press next, next, & change the name of this connection as you see fit
  8. Press finish

Congrats you’ve successfully connected to hive using kerberos authentication!

6) Troubleshooting

If you are receiving [Cloudera][HiveJDBCDriver](500168) Error creating login context using ticket cache: Unable to obtain Principal Name for authentication make sure to check the following

  1. Ensure that you have the latest cryptography libraries installed
    • Java 9 includes these libraries by default
  2. That you’ve configured your /etc/krb5.conf successfully
    • If you’ve done this correctly you should be able to run kinit in terminal and create a ticket without issue
  3. For Windows adding the following lines to your dbeaver.ini may be necessary as well
    • -Djava.security.krb5.conf=c:\kerberos\krb5.ini
      • note: this is the windows equivalent of /etc/krb5.conf
    • -Djava.security.auth.login.config=c:\kerberos\jaas.conf
      • success has also been reported with the following jaas.conf file & keytab usage
Client {
   com.sun.security.auth.module.Krb5LoginModule required
        debug=true
        doNotPrompt=true
        useKeyTab=true
        keyTab="C:\Users\{user}\krb5cc_{user}"
        useTicketCache=true
        renewTGT=true
        principal="{user}@FOO.BAR"
    ;
};

Related

comments powered by Disqus